Analysis Report samtidshistoriker.exe

Overview

General Information

Sample Name: samtidshistoriker.exe
Analysis ID: 394429
MD5: 780254149cfe37ce295a82588be31204
SHA1: c28ac373e62a87ae40ad378458d68adc0255558d
SHA256: 74c9a0f54acec0d6579e9a43c75571f05eeb7393f43c13a5e790bfbb262dcb2e
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.858722881.0000000000500000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
Multi AV Scanner detection for submitted file
Source: samtidshistoriker.exe Virustotal: Detection: 52% Perma Link
Source: samtidshistoriker.exe Metadefender: Detection: 14% Perma Link
Source: samtidshistoriker.exe ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: samtidshistoriker.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: samtidshistoriker.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=14HidX9PYpF9MdDuU2Alpazy_Sg8A9xmd

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: samtidshistoriker.exe, 00000001.00000002.858918272.000000000074A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process Stats: CPU usage > 98%
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: String function: 004022AC appears 361 times
PE file contains strange resources
Source: samtidshistoriker.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: samtidshistoriker.exe, 00000001.00000002.859509112.0000000002410000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs samtidshistoriker.exe
Uses 32bit PE files
Source: samtidshistoriker.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal92.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\samtidshistoriker.exe File created: C:\Users\user\AppData\Local\Temp\~DF654EE9A628DC3A95.TMP Jump to behavior
Source: samtidshistoriker.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\samtidshistoriker.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: samtidshistoriker.exe Virustotal: Detection: 52%
Source: samtidshistoriker.exe Metadefender: Detection: 14%
Source: samtidshistoriker.exe ReversingLabs: Detection: 48%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.858722881.0000000000500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: samtidshistoriker.exe PID: 6692, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: samtidshistoriker.exe PID: 6692, type: MEMORY
PE file contains an invalid checksum
Source: samtidshistoriker.exe Static PE information: real checksum: 0x322ea should be: 0x39700
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00408066 push edi; ret 1_2_004080C7
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_0040947C push ebx; retf 1_2_00409481
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00407618 push ecx; retf 1_2_00407619
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004050CC push esp; iretd 1_2_0040510F
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004096D6 push eax; ret 1_2_004096D7
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00404EAC push ds; retf 1_2_00404EE9
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00403AAD push ecx; iretd 1_2_00403AAE
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004062BB push FFFFFF81h; ret 1_2_004062CB
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_0040791D push ebx; iretd 1_2_00407F3E
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_0040611E push ebp; retf 1_2_00406121
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_0040552E push ebp; ret 1_2_0040552F
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00409138 push ds; iretd 1_2_00409139
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00409BC5 push 3975AA4Dh; ret 1_2_00409BCD
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004099D4 push ds; retf 1_2_004099D5
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00409BDA push edx; ret 1_2_00409BE7
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004091E1 pushad ; iretd 1_2_004091E2
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004099ED pushad ; iretd 1_2_00409A0E
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_00409BF3 push ebx; iretd 1_2_00409BFD
Source: C:\Users\user\Desktop\samtidshistoriker.exe Code function: 1_2_004071F6 push edx; ret 1_2_004071F7
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 0000000000505A0C second address: 0000000000505A0C instructions:
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 0000000000505983 second address: 0000000000505983 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ebx 0x0000000c movzx ebx, byte ptr [esi] 0x0000000f cmp ch, 00000060h 0x00000012 add edx, ebx 0x00000014 add esi, 02h 0x00000017 cmp word ptr [esi], 0000h 0x0000001b jne 00007FB488AD7832h 0x0000001d jmp 00007FB488AD789Ah 0x0000001f pushad 0x00000020 mov bx, 9C89h 0x00000024 cmp bx, 9C89h 0x00000029 jne 00007FB488AD2611h 0x0000002f popad 0x00000030 mov ebx, edx 0x00000032 test ch, bh 0x00000034 shl edx, 05h 0x00000037 pushad 0x00000038 rdtsc
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: samtidshistoriker.exe, 00000001.00000002.858722881.0000000000500000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 000000000040A5EF second address: 000000000040A5EF instructions: 0x00000000 rdtsc 0x00000002 cmp eax, 0000009Ah 0x00000007 cmp ebx, 000000BDh 0x0000000d cmp eax, 65h 0x00000010 cmp ebx, 000000B6h 0x00000016 cmp ebx, 37h 0x00000019 cmp eax, 000000C2h 0x0000001e pandn mm5, mm0 0x00000021 punpckhdq xmm3, xmm2 0x00000025 fyl2x 0x00000027 psubsw xmm7, xmm7 0x0000002b fninit 0x0000002d psubusb xmm2, xmm6 0x00000031 punpckhbw xmm5, xmm7 0x00000035 pcmpeqb xmm7, xmm0 0x00000039 fnclex 0x0000003b fpatan 0x0000003d jmp 00007FB48892C49Eh 0x0000003f cmp eax, 7Dh 0x00000042 cmp edi, 02EAFF40h 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 movd mm1, ebx 0x00000054 jne 00007FB48892C2FAh 0x0000005a inc edi 0x0000005b cmp eax, 000000D1h 0x00000060 cmp ebx, 000000D6h 0x00000066 cmp ebx, 49h 0x00000069 cmp eax, 1Eh 0x0000006c cmp ebx, 000000E0h 0x00000072 cmp ebx, 2Ah 0x00000075 psrlq xmm2, 46h 0x0000007a psrld mm2, B8h 0x0000007e fnop 0x00000080 fld1 0x00000082 fmulp st(6), st(0) 0x00000084 fldz 0x00000086 fldl2t 0x00000088 paddusw mm3, mm6 0x0000008b nop 0x0000008c pmullw xmm7, xmm3 0x00000090 jmp 00007FB48892C497h 0x00000092 cmp ebx, 58h 0x00000095 cmp ebx, 000000BDh 0x0000009b rdtsc
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 00000000005059CA second address: 0000000000505A0C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test al, dl 0x0000000d cmp dh, ah 0x0000000f cmp cl, al 0x00000011 test ch, 00000032h 0x00000014 jmp 00007FB488AD789Ah 0x00000016 pushad 0x00000017 mov bx, 5EFCh 0x0000001b cmp bx, 5EFCh 0x00000020 jne 00007FB488AD2583h 0x00000026 popad 0x00000027 test ch, bh 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 0000000000505A0C second address: 0000000000505A0C instructions:
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 0000000000505983 second address: 0000000000505983 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ebx 0x0000000c movzx ebx, byte ptr [esi] 0x0000000f cmp ch, 00000060h 0x00000012 add edx, ebx 0x00000014 add esi, 02h 0x00000017 cmp word ptr [esi], 0000h 0x0000001b jne 00007FB488AD7832h 0x0000001d jmp 00007FB488AD789Ah 0x0000001f pushad 0x00000020 mov bx, 9C89h 0x00000024 cmp bx, 9C89h 0x00000029 jne 00007FB488AD2611h 0x0000002f popad 0x00000030 mov ebx, edx 0x00000032 test ch, bh 0x00000034 shl edx, 05h 0x00000037 pushad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\samtidshistoriker.exe RDTSC instruction interceptor: First address: 00000000005030BA second address: 00000000005030BA instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FB48892C464h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FB48892C45Ah 0x0000001f test dh, ah 0x00000021 pop ecx 0x00000022 test bh, FFFFFFF5h 0x00000025 test eax, ecx 0x00000027 add edi, edx 0x00000029 test ax, ax 0x0000002c dec ecx 0x0000002d cmp bh, ch 0x0000002f cmp ecx, 00000000h 0x00000032 jne 00007FB48892C40Dh 0x00000034 push ecx 0x00000035 call 00007FB48892C4A0h 0x0000003a call 00007FB48892C474h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: samtidshistoriker.exe, 00000001.00000002.858722881.0000000000500000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\samtidshistoriker.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: samtidshistoriker.exe, 00000001.00000002.859123552.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: samtidshistoriker.exe, 00000001.00000002.859123552.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: samtidshistoriker.exe, 00000001.00000002.859123552.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: samtidshistoriker.exe, 00000001.00000002.859123552.0000000000DD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 394429 Sample: samtidshistoriker.exe Startdate: 21/04/2021 Architecture: WINDOWS Score: 92 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 4 other signatures 2->14 5 samtidshistoriker.exe 1 2->5         started        process3 signatures4 16 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->16 18 Found potential dummy code loops (likely to delay analysis) 5->18 20 Tries to detect virtualization through RDTSC time measurements 5->20
No contacted IP infos